Windows平台下的session0建立进程的问题与解决办法

不少博客都有记载如何在session0下建立进程的办法,也就是使用CreateProcessAsUser。可是这个要求服务的进程有SE_INCREASE_QUOTA_NAME和SE_ASSIGNPRIMARYTOKEN_NAME权限若是设置的登陆用户是LocalServer的话,是默认有以上两个权限。可是若是是本身建立的帐户,那么是不具备SE_ASSIGNPRIMARYTOKEN_NAME的权限。git

service

 

    查看用户的权限能够经过gpedit.msc工具中,在“计算机配置”-- “Windows设置” -- “安全设置” -- “本地策略” -- “用户权限分配”中查看。或者经过secedit.exe导出本地策略。github

 

    手动能够经过以上的方法设置,可是经过程序,在登陆帐户下的进程是没法设置。可是能够使用secedit.exe进行导出导入进行设置。导出的信息包括如下一部分:安全

  1 [Privilege Rights]
  2 SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551,*S-1-5-32-581
  3 SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551
  4 SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
  5 SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544
  6 SeCreatePagefilePrivilege = *S-1-5-32-544
  7 SeDebugPrivilege = *S-1-5-32-544
  8 SeRemoteShutdownPrivilege = *S-1-5-32-544
  9 SeAuditPrivilege = *S-1-5-19,*S-1-5-20
 10 SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544
 11 SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
 12 SeLoadDriverPrivilege = *S-1-5-32-544
 13 SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559
 14 SeServiceLogonRight = *S-1-5-20,*S-1-5-80-0,*S-1-5-83-0
 15 SeInteractiveLogonRight = __vmware__,Guest,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551,*S-1-5-32-581
 16 SeSecurityPrivilege = *S-1-5-32-544
 17 SeSystemEnvironmentPrivilege = *S-1-5-32-544
 18 SeProfileSingleProcessPrivilege = *S-1-5-32-544
 19 SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
 20 SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20
 21 SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551
 22 SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
 23 SeTakeOwnershipPrivilege = *S-1-5-32-544
 24 SeDenyNetworkLogonRight = Guest
 25 SeDenyInteractiveLogonRight = Guest
 26 SeUndockPrivilege = *S-1-5-32-544,*S-1-5-32-545
 27 SeManageVolumePrivilege = *S-1-5-32-544
 28 SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555
 29 SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
 30 SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
 31 SeIncreaseWorkingSetPrivilege = *S-1-5-32-545
 32 SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-545
 33 SeCreateSymbolicLinkPrivilege = *S-1-5-32-544,*S-1-5-83-0
 34 

使用帐户的SID,更新到SeAssignPrimaryTokenPrivilege字段,该用户便可拥有了SE_ASSIGNPRIMARYTOKEN_NAME权限。获取SID能够经过LookupAccountName函数完整的用户的SID可经过注册表查看,路径为:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileListsession

 

整个过程总结一下:函数

第一步:使用LookupAccountName,经过服务登陆帐户名,获取该帐户的SID;工具

第二步:secedit.exe导出本地策略,将第一步获取的SID更新到SeAssignPrimaryTokenPrivilege字段;spa

          例如:secedit /export /cfg gp.infcode

第三步:使用secedit.exe,将新的配置文件导入到系统;blog

          例如:secedit /configure /db C:\\test.sdb /cfg gp.inf进程

第四步:重启计算机;

第五步:在服务进程中,使用CreateProcessAsUser进行子进程的建立。

 

示例代码地址:代码GetSIDByUserName.cpp和CreateProcessAsUser.cpp

相关文章
相关标签/搜索